Welcome to GRIP, Global Relay’s new digital information service on practical compliance and regulatory change.

Please enjoy this free trial of our subscription content service, for a limited time only.

  

SEC adopts cybersecurity, strategy, governance, and incident disclosure rules

ecurities and Exchange Commission Chairmain Gary Gensler talks in a senate hearing
Photo: Win McNamee/Getty Images

Martina Lindberg

 Click to share on Facebook (Opens in new window) Click to share on Twitter (Opens in new window) Click to share on LinkedIn (Opens in new window) Click to share on WhatsApp (Opens in new window)

The rules will require registrants to describe processes for identifying and managing material risks from cybersecurity threats.

Rules that require registrants to disclose experienced material cybersecurity incidents, including annual material information on cybersecurity risk management, strategy, and governance have just been adopted by the SEC. Foreign private issuers will also be required to make comparable disclosures.

With the adopted rules, registrants will, on the new Item 1.05 of Form 8-K, be required to disclose any cybersecurity incident they determine to be material, and describe the material sides of the incident’s:

  • nature;
  • scope;
  •  timing; and
  • its material impact or reasonably likely material impact on the registrant.

“Whether a company loses a factory in a fire – or millions of files in a cybersecurity incident – it may be material to investors,” said SEC Chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”

Material risks from cyber threats

Regulation S-K Item 106 will also be added to the requirements, where registrants need to describe (if any) processes for:

  • assessing, identifying; and managing material risks from cybersecurity threats; and
  • the material or reasonably likely material effects of risks from cybersecurity threats, and previous cyber incidents.

With Item 106, registrants will also be required to describe:

  • the board of directors’ oversight of risks from cybersecurity threats; and
  • the management’s role and expertise in assessing and managing the material threat risks.

This information will be required in the annual report on Form 10-K.

“Whether a company loses a factory in a fire – or millions of files in a cybersecurity incident – it may be material to investors.”

SEC Chair Gary Gensler

Besides the listed requirements above, the rules will also need comparable disclosures by foreign private issuers for material cybersecurity incidents – on Form 6-K, and cybersecurity risk management, strategy, and governance – on Form 20-F for.

“Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them,” Gensler added.

The final rules will become effective 30 days after publication in the Federal Register. The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023.

The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the publication date in the Federal Register or December 18, 2023.

Smaller reporting firms will have an additional 180 days before providing the Form 8-K disclosure.

, , , , , ,

You may also like